The following text is copyright 1997 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
But will they pay attention thistime?
I've been told that the Eskimos have a hundred or words for snow, each denoting some slightly different type, most of which would be indistinguishable to an observer that did not have to deal with the stuff quite as intimately as they have to. We may need to start coming up with additional, more specific, alternatives to the word "clueless" in the networking world. We might come up with a few general catagories. There are the passively clueless, those who just don't take the time to find out what is going on but speak or act anyway. There are the benignly clueless, those who don't have a clue but it does not matter because they don't do anything anyway. There are the aggressively clueless, those who almost proudly repeatedly demonstrate their unwillingness to get information before pontificating. There are the pathologically clueless, those for whom it is not that they do not bother to understand, rather that they do not want to understand because the attempts to demean others is the aim of the game. There are the astronomically clueless, those whose closest brush with reality is somewhere the other side of Pluto. Finally there are the mythologically clueless who are not of this universe and define other universes where their ideas and actions might be appropriate.
From this etymological exploration you might think that I've been reading some Internet mailing list, the one discussing the top level domain names issue, for example. In this case it was an article in Fortune magazine about computer security that led me to engage in this frustration lessening exercise.
The article is mistitled Who's reading your e-mail? and is mostly about computer security, or more accurately the lack of computer security. But the security problems that the article explores are mostly not ones of failures of technology but instead are failures of the thought process. The article includes a sidebar description of a successful "tiger team" attack (with permission) on the computers and network of a unnamed major company. This company had a quite good firewall on its Internet connection which thwarted the attackers in their attempt to enter by the Internet front door. But as I worried in a previous column ( Installing complacency ), this company had rather poor procedures and a poor level of user understanding about security behind the wall. In this case the tiger team was able to break in by finding a modem accessable PC running pcAnywhere and was not password protected. Once they had access to that PC, they used it as a staging area to poke at the rest of the company's computers. They were able to gain access to one of the development workstations using an account with the username guest and no password. The article also reports password guessing with a 42% level of success.
It is very frustrating to hear yet again that large corporations which should know better are continuing to refine the meaning of clueless when it comes to user passwords. But I hope that yet another article full of easy to understand concepts in a mainstream business publication will get some attention. It is also very frustrating to have the Internet take the blame for corporations where the management is mythologically clueless when it comes to the most basic part of security, user passwords.
disclaimer: Sure there clueless at Harvard but we don't make it into an art form but the above is my own etymology exercise.